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[57] ABSTRACT 

A method for updating antivirus files on a computer using 
push technology is disclosed. In a preferred embodiment, 
updated virus signature files or other updated antivirus 
information is loaded onto a central antivirus server, while 
local push agent software is installed on the client computer. 
When the user of the client computer is connected to the 
Internet, the push agent software operates in the background 
to receive updated antivirus files from the central antivirus 
sever across the Internet, in a manner which is substantially 
transparent to the user. In another preferred embodiment, 
antivirus files on a plurality of client computers on a 
corporate computer network are automatically updated 
using push technology and automated network installation 
scripts. A service computer associated with the plurality of 
client computers receives one or batches of antivirus updates 
from a central antivirus server across the Internet using push 
technology. An automatic installation script is executed to 
install the antivirus updates on the client computers of the 
corporate computer network with a minimum of involve- 
ment from a corporate system administrator or, optionally, 
no involvement from the corporate system administrator. 

2 Claims, 14 Drawing Sheets 
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METHOD AND SYSTEM FOR PROVIDING computer-readable form (see, e.g., the directory \MANU- 

AUTOMATED UPDATING AND UPGRADING ALS on the CD-ROM version of VirusScan for Windows 95, 

OF ANTIVIRUS APPLICATIONS USING A NT, 3.1x, DOS and OS/2), and on the World Wide Web at 

COMPUTER NETWORK http://www.mcafee.coni. The contents of Ihese documents 

5 are hereby incorporated by reference into the present appli- 

FIELD OF THE INVENTION CiX [ on , 

The present invention relates generally to computer sys- In one form, the VimsScan™ application is adapted for 

terns and computer networks. In particular, the present use on a user's client computer running on a Windows 95™ 

invention relates to a method and system for maintaining platform. A main routine used by this antivirus application 

and updating antivirus applications in computers attached to 10 is "SCAN.EXE", a program file that is typically placed in 

a computer network. the directory C:\PROGRAM_ 

FILESVMCAFEEWIRUSSCAN on the user's hard drive. 

BACKGROUND OF THE INVENTION The program SCAN.EXE is adapted to be used for any of the 

The generation and spread of computer viruses is a major following types of virus scanning: virus scanning of system 
problem in modern day computing. Generally, a computer 15 boot-sectors at startup, on-demand virus scanning at the 
virus is a program that is capable of attaching to other explicit request of the user, and on-access virus scanning of 
programs or sets of computer instructions, replicating itself, a me when that fiie » accessed b V the operating system or 
and performing unsolicited or malicious actions on a com- an application. In the Windows 95™ environment, the 
puter system. Generally, computer viruses are designed to Registry files are often modified such that SCAN.EXE is run 
spread by attaching to floppy disks or data transmissions 20 a t computer startup, and also remains resident for scanning 
between computer users, and are designed to do damage a11 fiIes u P on file access- 
while remaining undetected. The damage done by computer In a typical configuration, VimsScan™ is used in con- 
viruses may range from mild interference with a program, junction with a set of virus signature files having the names 
such as the display of an unwanted political message in a CLEAN.DAT, MCALYZE.DAT, NAMES.DAT, and SCAN- 
dialog box, to the complete destruction of data on a user's 25 .DAT. As of McAfee's Oct. 15, 1997 release of version 3010 
hard drive. It is estimated that new viruses are created at a of its VimsScan™ signature file updates, these vims signa- 
rate of over 100 per month. ture files collectively comprise over 1.6 MB of virus infor- 

A variety of programs have been developed to detect and mation. In a typical configuration, the files CLEAN.DAT, 

destroy computer viruses. As is known in the art, a common MCALYZE.DAT, NAMES.DAT, and SCAN. DAT are also 

method of detecting viruses is to use a virus scanning engine placed in the directory C:\PROGRAM_ 

to scan for known computer viruses in executable files, F1LES\MCAFEE\VIRUSSCAN on the user's hard drive, 

application macro files, disk boot sectors, etc. Generally, For purposes of clarity and simplicity in describing the 

computer viruses arc comprised of binary sequences called background and preferred embodiments, this disclosure will 

"vims signatures." Upon the detection or a virus signature 35 refer to a generic antivirus program "Anlivirus_ 

by the virus scanning engine, a virus disinfection program Application.exe" and a generic antivirus signature file 

may then be used to extract the harmful information from the VIRUS_SIGNATURES.DAT. 

infected code, thereby disinfecting that code. Common virus Generally speaking, a recent trend is for manufacturers of 

scanning software allows for boot-sector scanning upon antivirus applications to update their virus signature files 

system bootup, on-demand scanning at the explicit request ^ VIRUS__SIGNATURES.DAT as new viruses are discovered 

of the user, and/or on-access scanning of a file when that file and as cures for these viruses are developed, and to make 

is accessed by the operating system or an application. these updated signature files available to users on a periodic 

In order to detect computer viruses, a vims scanning basis (e.g. monthly, quarterly, etc.). For example, an antivi- 

engine is generally provided in conjunction with one or rus program manufacturer may post the update file V1RUS_ 

more files called "virus signature files". The vims scanning 45 SIGNATURES .DAT on a bulletin board system, on an FTP 

engine scans a user's computer files via a serial comparison (File Transfer Protocol) site, or on a World Wide Web site for 

of each file against the vims signature files. Importantly, if downloading by users. 

the signature of a certain virus is not contained in any of the FIG. 1 illustrates one serious problem that arises from the 

virus signature files, that virus will not be detected by the constant onslaught of new viruses. FIG. 1 shows a flowchart 

virus scanning engine. 50 of steps 100 which can occur when a typical user purchases 

By way of example, and not by way of limitation, one and loads an antivirus program equipped with virus signa- 

leading antivirus program and its accompanying virus sig- hire files, but neglects to keep its vims signature files 

nature files is will be described. It is emphasized that this current. At step 102, on a first date such as April 1, Year 0 

example is presented only for clarity of presentation, and (Apr. 1, 2000), the user acquires and loads the antivirus 

does not limit the scope or context of the preferred embodi- 55 application Antivirus_Application.EXE and the signature 

ments to certain software packages, software types, or files VIRUS_SIGNATURES.DAT, the file VIRUS_ 

operating system types. Indeed, the preferred embodiments SIGNATURES .DAT having a last-revised date, for example, 

are advantageously applied to many different types of anti- of Feb. 1, 2000. At step 104, the Antivirus Application.exe 

virus software programs on many different types of operat- routine and the VIRUS_SIGNATURES.DAT file are suc- 

ing systems and computing configurations. eo cessfully run on the user's computer. The user, being satis- 

A leading antivirus application, produced by McAfee fied that he or she has adequately protected the computer, 

Associates, is called VimsScan™. VimsScan™ is a software does not update the VIRUS_SIGNATURES.DAT file, 

application offered for sale in a variety of outlets and forms. However, in the meantime, as shown in FIG. 1 at step 106, 

VimsScan™ is accompanied by documentation in printed on May 15, 2000 a third-party "hacker" develops and begins 

form (see, e.g., "VimsScan Quick Start Guide", McAfee 65 the distribution and spreading of BAD_APPLE.V, a new 

Associates 1997, accompanying the CD-ROM version of virus which replicates itself and destroys user data. At step 

VimsScan for Windows 95, NT, 3.1x, DOS and OS/2), in 108, on Jul. 15, 2000, the antivirus manufacturer who makes 
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Antivims_Application.exe discovers BAD_APPLE.V. At 
step 110, that day the manufacturer develops a fix for 
BAD _APPLE.V and writes its virus signature (along with 
data to implement the fix) into the next release of VIRUS__ 
S1GNATURES.DAT. At step 112, the antivirus manufacturer 
releases an updated VTRUS_SIGNATURES.DAT dated 
Sep. 1, 2000. In addition to containing other vims signatures 
and fixes, the new VIRUS_SIGNATURES.DAT file con- 
tains the virus signature and fix for BAD_APPLE.V. 

At step 114, on Jan. 13, 2001, the user from step 104 
finally becomes infected by the BAD_APPLE.DAT virus. 
For example, the user may have borrowed a floppy disk 
infected with BAD _^APPLE.V from a friend, or may have 
downloaded an application infected with BAD_APPLE.V 
from the Internet. At that very time, at step 116, the program 
Antivirus_Application.exe scans the infected program. 
However, at step 116 the BAD_APPLE. V virus goes unde- 
tected by Antivirus_Application.exe because the VIRUS_ 
SIGNATURE.DAT file being used is an old one dated Feb. 
1, 2000, and therefore it does not contain the virus signature 
for BAD_APPLE. V. Because it has remained undetected, at 
step 118 on Jan. 19, 2001, the BAD_^\PPLE.V virus 
destroys data on the user's computer. 

The scenario of FIG. 1 is a common manner in which 
desktop systems that are purportedly "protected" from infec- 
tion nevertheless become infected by new viruses, and 
represents a problem unique to computer antivirus applica- 
tions. Upgrades to antivirus files generally have no effect on 
the user's usage of the desktop system. As represented by the 
scenario of FIG. 1, the need for antivirus upgrades is often 
not realized by a user until it is too late. In another common 
scenario, the virus scanningAntivirus_Application.exe may 
itself be outdated, having been superseded by a newer and 
superior engine. These outdated engines are often unable to 
detect the new species of viruses, which are constantly 
evolving, such as "stealth" viruses and "polymorphic" 
viruses. 

Unfortunately, even if the user is comparatively sophis- 
ticated in his or her ability to maintain the most recent virus 
scanning engines and virus signature files, preventable virus 
infection may still occur. With the proliferation of users on 
the Internet and World Wide Web, new viruses may be 
spread almost instantaneously upon their introduction. 
Unless the user affirmatively checks up on the manufactur- 
er's new releases daily, his or her system may not be 
protected with the most recent virus signature files and 
scanning routines available. 

FIG. 2 illustrates another practical problem that may arise 
regarding antivirus software distribution, this time in the 
context of a typical corporate local area network (LAN). 
FIG. 2 shows a typical local area network 200 comprising a 
network server 202, a communications network 204 such as 
an ETHERNET network, a plurality of user nodes 
206A-206N, and an Internet gateway 208. As known in the 
art, Internet gateway 208 is generally coupled via an appro- 
priate protocol connection to the Internet 210, cither through 
an ISP (Internet Service Provider) or a dedicated connection 
to the Internet 210. 

In a common scenario associated with the environment of 
FIG. 2, one or more dedicated system administrators 212 
have the task of ensuring that the antivirus software on the 
local desktop machines 206A-206N stays updated. Thus, in 
the environment of FIG. 2, there are additional layers of 
complexity associated with the updating of desktop antivirus 
software in comparison to the single user scenario. In 
particular, the system administrator 212 must (a) maintain an 
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awareness of all antivirus software needs of the various user 
nodes 206A-206N, (b) maintain an awareness of all update 
information relating to the antivirus software, and (c) 
retrieve and install the latest versions and updates for each 
user node as soon as those updates become available. While 
modern antivirus updating systems may allow the system 
administrator 212 to manually request and receive updates 
from an antivirus manufacturer FTP or World Wide Web Site 
214 across the Internet 210, as shown in FIG. 2, it is 
nevertheless a labor-intensive task to distribute and install 
the antivirus updates effectively and rapidly. The antivirus 
update collection and distribution tasks can readily become 
difficult to keep up with, especially where a typical corporate 
network may have a variety of hardware platforms (e.g., 
IBM, Macintosh, Sun, Silicon Graphics), and a variety of 
software platforms (e.g., Windows 95, Windows 3.1, DOS, 
LINUX, UNIX, Macintosh), each combination of which 
will have its own unique set of virus scanning engines and 
virus signature files. It is well known in the art, for example, 
that viruses are operating system specific, and so the local 
client computers 206A-206N of FIG. 2 will likely require 
several different virus scanning engines and virus signature 
files. Each of these product lines will likely have distinct and 
disparate updating schedules, further frustrating the efforts 
of the system administrator 212. 

Accordingly, it would be desirable to provide a method 
and system for Providing the most up-to-date virus 
scanning, disinfection, and signature files on a user's com- 
puter for protecting against the newest viruses. 

It would be further desirable to provide a method and 
system for the antivirus software updating to be simple and 
automatic, such that unsophisticated users are consistently 
provided with the most recent antivirus protection available. 

It would be even further desirable 1o provide a method of 
antivirus software update distribution which allows a higher 
frequency of update releases from antivirus software manu- 
facturers for the most up-to-date, or even up-to-the-hour, 
antivirus protection available. 

It would be even further desirable to provide a method of 
automated antivirus software update distribution to the dif- 
ferent types of user nodes of a local corporate network, with 
minimized intervention required by the system administra- 
tor. 

SUMMARY OF THE INVENTION 

These and other objects are achieved by a method and 
system for updating local client computers with antivirus 
software updates from a central antivirus server, the local 
client computers and the central antivirus server being 
coupled by a packet-switched network, wherein the antivirus 
software updates are transferred from the central antivirus 
server to a given local client computer using a push tech- 
nology method. The central antivirus server comprises a first 
database containing information related to the latest antivi- 
rus software updates contained on each local client 
computer, and uses push technology to transmit updated 
antivirus files if the local client computer's antivirus files are 
out of date. 

In another preferred embodiment, the computer network 
is a packet -switched network, the central antivirus server is 
coupled to the computer network using a packet-switched 
protocol, and each of the plurality of local client computers 
is coupled to the computer network using a packet-switched 
protocol. Each client computer intermittently notifies the 
central antivirus server that the client computer is actively 
coupled to the computer network. The central antivirus 
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server thereupon evaluates whether that client computer has FIG. 10 shows a diagram of a computer network accord- 
been sent the most recent antivirus file updates. If the client ing to another preferred embodiment; 
computer has not been sent the most recent antivirus pr^ u shows a portion of an antivirus update database 
updates, the central antivirus server transmits updated anti- kept according to a preferred embodiment; 
virus files to that client computer over the computer net- 5 FIG n sbows s(eps taken by a local mk mtWQTk 

wor administration computer according to a. preferred embodi- 

In another preferred embodiment, the computer network rnent. 
is a packet-switched network, the central antivirus server is 

coupled to the computer network using a packet-switched DETAILED DESCRIPTION OF THE 

protocol, and each of the plurality of local computers is 10 INVENTION 

coupled to the computer network using a packet-switched RG 3 shows a network 300 according to a 

protocol. Each local computer has a maximum allowable ferred emb odiment. Computer network 300 comprises a 

data rate between itself and the computer network. When a dient uter 302 For illustrative p Urp0SC5 , and not by 

data transfer rate between the computer network and any 0 f limitation, client computer 302 is a Pentium™ -based 

local computer falls below a first data rate less than the 15 clieQt utef maain 0Q a windows 95 operating system, 

maximum data rate, the excess transport capacity is detected Clien( computer m has a packet-switched connection to the 

and used to allow transmission of updated virus software mleraet 3(M usm Qf a ^ of connection means 

files from the central antivirus server to the local computer. known ^ ^ aft ^ erabodiment shown m FIG , 3 showSi 

In another preferred embodiment, a plurality of local for example, the cUent computer 302 coupled to an Internet 

client computers are coupled to a local area network anti- 20 service pr0 vider 306 over a SLIP (Serial Line Interface 

virus server across a local area network. The local area Protocol) or PPP (Point to Point Protocol) connection, 

network antivirus server is, in turn, coupled to a central l nlcroc t service provider 306 is, in turn, coupled to the 

antivirus server across a packet-switched network. The Internet 304, the client computer 302 thereby having the 

central server uses push technology to automatically trans- abi i ity l0 and receive information to other nodes on the 

mit antivirus software updates to the local area network 23 internet 304 using the TCP/IP protocol (Transmission Con- 

antivirus server whenever any of the plurality of local client tro i protocol/Internet Protocol). 

computers contain antivirus software which is out of date. In mc k of nG 3 (hc dial conncction betwcen 
The central antivirus server additionally transmits instruc- Internet ider 3Q6 aQd dieQt COffiputer 302 ^ not 
tions to the local ^area network anuvirus server suffiaent to a nent connection. Rathert the dial up connection 
allow automatic downloading and instaUing of the anuvirus ^ ^ wheQ ^ diem utw 302 dials intent 
updates onto the appropriate local client computer with provider 304 over the public switched telephone 
minimized intervention from a system administrator. networR ^ a modem A sup QJ ppp conQection is men 
Advantageously, in antivirus update distribution systems established between client computer 302 and Internet ser- 
according to the preferred embodiments described herein, 35 vice prov ider 306, and client computer 302 is assigned an IP 
there is an opportunity for minimized latency between the address 305 at that time. Importantly, however, the scope of 
discovery of a new vims by an antivirus manufacturer and lhe pre f e rred embodiment is not necessarily limited to 
the loading of the new protective updates onto user desktops. dial-up Internet connections between client computer 302 
Because human intervention in the update process is mini- and thc i ntC met 304. Any of a variety of computer network- 
raized or eliminated altogether at the client desktop, antivi- mg connection methods are also within the scope of the 
rus manufacturers are free to distribute antivirus updates as preferred embodiment including, but not limited to, a full- 
often as necessary to counteract the latest computer viruses, t i me or ded icated connection between client computer 302 
without the need to worry about overloading users with and lDternct 304, or any other type of connection between 
antivirus update activity. client computer 302 and a computer network which assigns 
BRIEF DESCRIPTION OF THE DRAWINGS 45 c l ient computer 302 an address for allowing the transmission 

_ _ , . , » of information to and from client computer 302. 

FIG. 1 shows steps corresponding to one prior art scenario . „. , . . 

of antivirus software distribution and virus infection; Sh °™ inmG - 3 15 a <* at ** ] anllvirus *^ er 308 ha ™8 

FIG. 2 shows a computer network and an antivirus server a P^t-switched connection to Internet 304. Central anti- 

ij * .u i "r . V- . \u • _ virus server 308 generally comprises a computer that is 

coupled to the Internet according to the prior art; , ,. 5 . 3 . T T - y 

Jl„ „ , , . _, j- r j 50 capable of sending and receiving Information over the 

FIG. 3 shows a computer network accordmg to a preferred 3Q4 of 5toring) K ^ eyingt and maint aining 

embodiment, antivirus files, and capable of running other applications. In 

FIG. 4 shows steps taken by a client computer according one form> the cerjtra i armv irus server 308 comprises a World 

to a preferred embodiment; Wide Web sile having a variety of useful antivirus infcrma- 

FIGS. 5 A and 5B show a sample directory structure and 55 tion available to subscribers. Central antivirus server 308 is 

directory listings of client computer files accordmg to a usually associated with an antivirus software manufacturer, 

preferred embodiment; storing and maintaining versions of antivirus application and 

FIG. 6 shows steps taken by a central antivirus server signature files created by that manufacturer. However, the 

according to a preferred embodiment; scope of the preferred embodiment is not so limited, and 

FIG. 7 shows a diagram of a database contained within a ,j 0 central antivirus server 308 may also comprise, for example, 

central antivirus server according to a preferred embodi- a general "clearinghouse" of information on a variety of 

ment. topics, and may be capable of running non-antivirus-related 

FIG. 8 shows a diagram of a computer network according applications, 

another preferred embodiment; Using means not shown in FIG. 3, central antivirus server 

FIGS. 9A and 9B show a sample directory structure and 65 308 is kept up-to-date with the latest releases of antivirus 

directory listings of client computer files according to files, and in the present example is kept up to date with the 

another preferred embodiment; most recent versions of Antivirus_Application.exe and 
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VIRUS__SIGNATURES.DAT. Importantly, according to a "background" and are transparent to the user. In some 
preferred embodiment, the file VIRUS_ circumstances there may be slight delays or longer down- 
S1GNAXURES.DAT may be updated monthly, weekly, daily load times caused by the background downloading of the 
or even hourly as newly unleashed viruses are discovered, antivirus update files, but the operation of the client corn- 
analyzed, and remedied. Once a virus is remedied, e.g. once 5 P utc r 302 as seen by the user is generally unaffected, 
its signature is determined, the new signature may be FIG. 5A shows a printout of the directory structure and 
integrated into the file VIRUS_SIGNATURES.DAT by the certain file listings from a hard drive of client computer 302 
antivirus application manufacturer. according to a preferred embodiment. For exemplary 

TTir a , mmT ,„.„ \ni ■ purposes, client computer 302 comprises a hard drive E:, 

Mu. 4 shows steps taken client computer 3U2 in accor- ^. f„„ ' , a „ a „, • - A „, u - u „ a„a „.:.u 

. r j i j . * A . * am iL i- . m shown as element 502 in FIG. 5A, which is loaded with 

dance with a preferred embod^ent. At step 402 the cheat *> rf k and £ ication fi ^ 

computer 302 is turned on or otherwise activated. At this amjvirus lQ hCC0Tdan ^ with standard Window * s 

time as known in the art an .virus application software on 95TM anization methods , hard drive 502 comprises a My 

client computer 302 is activated, usuaUy automatically The Documents directory 504 containing user files, a Program 

antivirus application software scans for viruses on cheat Fi]es ^ m m directorieSj * d a 

computer 3(K by comparing all executable files, macra files, « windows dk m comami oper ating system files. 

™,^U^iS5? r??S ^ C0Q "7 , Pr °S™ Files directory 506 comprises an Antivirus Soft- 

VIRUS_SIGNATURK.DAT According to a preferred wa * dJ 51Q c l al&inin a * livirus application and 

embodiment, at step 404 a desktop antivirus update agent is si fil an E * ref di containi 

started and remains resident m cheat computer 302. a Microsoft Intemel Explorer T« Web browser> a Netscap * 

As shown at step 406, the desktop antivirus agent on directory 514 containing a Netscape Navigator™ Web 

client computer 302 generally remains dormant until the browser, and other program file directories, 

client computer 302 is connected to the Internet via a TCP/IP Antivirus Software directory 510 contains a DAT Signa- 

connection and an Internet interface program such as a Web ^ FUcs dircctory 516 and a Program directory 518. The 

browser is activated. Step 406 is a detection step, wherein contents of prog^ directory 518 are shown on the right 

the antivirus update agent queries the operating system of hand sidc of F1G 5/V Pro directory 518 comprises a 

client computer 302 for an indication that a TCP/IP oonnec- flrst execulable file Antivirus_Application.exe 520 and a 

tion and that a Web browser has been invoked. amd executable file Antivirus_Update^gent.exe 522. 

At step 408 the antivirus update agent transmits a As known in the art, at computer startup the program 

sequence of information packets to the central antivirus 3Q Anuvirus_JVpplication.exe 520 is executed or, alternatively, 

server 308 for notifying the central antivirus server 308 that this program can be manually invoked by the user. One 

a TCP/IP connection and a Web browser have been activated manner in which to cause Antivirus_j\pplication.exe 520 to 

at client computer 302. Among the information transmitted automatically execute at startup is to place a shortcut to this 

from client computer 302 to central antivirus server 308 are program in the "Startup" portion of the Windows 95™ Start 

two items of data used for achieving automated download 35 menu system. 

and updating of antivirus files on client computer 302. In According to a preferred embodiment, the program 

particular, (a) the IP address 305 of client computer 302 Antivirus_Update_Agent.exe 522 is the program which is 

(e.g., 205.84.4.137), and (b) a unique user ID (e.g., designed to perform the steps shown generally in FIG. 4. 

"BJONES01234") are transmitted to central antivirus server The program Antivirus_Update_Agent.exe 522 is designed 

308. ^ to begin execution at computer startup, either through place- 

At step 410 antivirus update files are received by client ment of a shortcut to it in the "Startup" portion of the 

computer 302 if any such files are sent by the central Windows 95™ Start menu system, or by other methods 

antivirus server 308. If any such files are received, at step known in the Windows 95™ programming art. The program 

412 the antivirus update files are loaded. If any such files are Antivirus_Update_Agent.exe 522 is designed to interact 

not received, at step 414 the antivirus update agent pauses 45 with the operating system such that the creation of a TCP/IP 

for a period of time. Following step 412 or 414, as the case connection to the Internet and the invocation of a Web 

may be, the decision step 406 is again performed if the client browser is recognized. Once this connection is recognized, 

computer is still turned on and operating, as reflected by a the program Antivirus_Update_j\gent.exe 522 causes 

positive" branch at step 416. The loading step shown at FIG. communication with central antivirus server 308 to 

4 may be an automatic loading step, wherein the down- 50 commence, wherein antivirus updates arc received if the 

loaded files automatically self-execute and insert the current antivirus files are outdated, 

updated file VIRUS_SIGNATURES.DAT into the appro- FIG. 5B shows a printout of the directory structure of FIG. 

priate directory of the client computer 302. Optionally, 5A except with contents the directory E:\Program 

according to another preferred embodiment, the downloaded Filcs\Anti virus Software\D AT Signature Files 516 being 

file may cause a "flash" notification to be seen by the user, 55 shown in the right hand window. As shown in FIG. 5B, the 

advising the user that new antivirus files have been exemplary virus signature file V1RUS_ 

downloaded, and that the existing files currently being used SIGNATURES .DAT 524 is contained in the DAT Signature 

in the antivirus application are now outdated. The user may Files directory 516. According to a preferred embodiment, it 

then be given the option to (a) allow the downloaded files to is the file VIRUS_SIGNATURES.DAT 524 which contains 

be extracted and installed immediately, or (b) abey the 60 the time-sensitive virus signature information, and which is 

installation process until a later time. the file which is most often updated by central antivirus 

FIG. 4 also shows the step 418, whereby the user browses server 308. According to another preferred embodiment, the 

the Internet normally, followed by the step 420, whereby the program file Antivirus_Application.exe 522 is itself 

user logs off the Internet, Importantly, according to a pre- updated periodically, as newer scanning approaches are 

ferred embodiment, the antivirus updating steps 408-414 65 included in the most recent program versions, 

carried out in parallel with the steps 418-420, that is, the According to another preferred embodiment, there are 

antivirus updating steps 408-414 are carried out in the other time-sensitive antivirus data files such as the files 
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Button Bomb Fighters.DAT 526 and Trojan Horse Fighters- be also included in database 700. Through the use of 

.DAT 528 downloaded into the DAT Signature Files direc- database 700, central antivirus server 308 is capable of 

tory 516. These additional files, which are designed to determining the requirements of each subscriber, and is 

counteract the negative effects of the newest types of harm- capable of determining whether a given subscriber is 

ful software unleashed by computer hackers, may be asso- 5 updated with the latest versions of the required anlivirus 

ciated into the scanning engine through a linked list pro- software 

vided in the file ANTIVIRUS SIGNATURES.DAT. „ r 1 . f , h . Bnn 

Advantageously, , the additional file's may themselves be FI ^. 8 f ows * * a ^ m H mutcr t n 5^ ork 800 

executable in nature, in which case these entirely new J^ 1 ^ to an ° ther Preferred embodiment It has been 

computer protection applications are automatically and „ found mat a mechamsm for pushing the needed updates to 

transparently downloaded and installed. 10 chen ; ^mputers can be efficiently configured using a dedi- 

„i, , . . . , . t . . . . M cated push admimstrator system separate from the central 

FIG. 6 shows steps taken by central antivirus server 308 ,. . - no T J ,. iL r . . . . . . 

. . ... F r j . . fiv> antivirus server 308. In practice, the push administrator is 

in accordance with a preferred environment. At step 602, . , ( „ ,„[ , _ „ r . „„,.,,•,_ 

. . ,_ D j*' . . . j * j . ■ ■ separated from the admimstrators of the central antivirus 

antivirus server 308 determines whether updated antivirus r , lL . . , „ M 

C1 , ... * i • • server company both physically and organizationally, allow- 

files from antivirus software developers or engineers is 1<: . ■ ^ r J , i % iL " . . 

■i ui if t • C7 >u J r* j 15 mg the anUvirus software developer to focus on the antivirus 

available. If such an update is available, the updated ant!- ^ ^ ^ ■ administrator 

virus lite aic loaded lat step 60* For purposes jof illustration, Qn ^ h ^ me Znism. 

and not by way of limitation, the updated antivirus files are r 3 . 

stored in a self-extracting archive file called UPDATE. l Computer network 800 comprises a client computer 802, 

SIGNATURES.EXE. The self-extracting archive file M the Internet 804, and an ISP 806 similar to the elements 302, 

UPDATE_SIGNATURES.EXE comprises a data portion 304 ' arjd ^ respectively, of FIG. 3. Computer network 800 

and a program portion. When this is executed at the client &rthcr comprises a central antivirus server 808 coupled to 

computer 302, as described infra, the program portion the Internet 804, and a push administration system 810 also 

extracts an updated, antivirus file ANTIVIRUS. coupled to the Internet 804. In the embodiment of FIG. 8, the 

SIGNATURES .DAT from the data portion and places it into „ central antivirus server 808 serves a more limited function 

the appropriate directory of client computer 302. Although thaD the ccnlral antivirus server 308 of FIG. 3. In particular, 

in the present example only a single data file is stored in the the antivirus server 808 has limited interaction with 

data portion of UPDATE_SIGNATURES.EXE, multiple cUent computer 802, and instead transfers updated anUvirus 

files may be delivered by the self-extracting archive file files to the P ush administration system 810. It is the push 

UPDATE_SIGNATURES.EXE, including executable pro- , 0 administration system 810 that interacts with client com- 

ms puter 802 in a manner similar to the steps 606-614 of FIG. 

FIG. 6 then shows step 606, wherein central antivirus 6 ' bu < may mteract "j* client computer 802 with 

server 308 receives a notification that the user or computer re 6«d J? omcr applications such as technical news updates 

302 is connected to the Internet and has an active browser or Ration updates. Advantageously according to the 

.... ^ , , . „ „ m* • „a~a preferred embodiment, the antivirus developers or engineers 

application running. Central antivirus server 308 is provided 35 ^ . ■ , , e t * 

with that user's identification, e.g. BJONES001234, and his are permitted to focus on the antivirus aspectsof the updates, 

or her associated IP address. At step 608, central antivirus and the push administration system provider may focus on 

server 308 accesses a subscriber database containing a list of 0 P tmaII y delivering the Ration to the client desktop 

all known or registered subscribers. At step 610, using a usin S P^h technology. Additionally the user of client 

database lookup procedure, central antivirus server 308 40 < om P uter f» 15 attr f ed p t0 th fi e J™** >admimstration system 

determines whether that user has been sent the most recendy because ° f . Ih u e vane ^ °* ^ ancl/or entertaining infor- 

updated antivirus files. If the user has already been sent the maU ° a ma y b * obt ™* d '. To & e . ,her ' lhese e » eme 1 Qts 

latest version of the virus signature files, no action is taken P rovide f or , faster and more ef ? cient distribution and deliv- 

for that user, wherein steps 602-606 are repeated. cr ? of **J*ta* antlvlfU ? software u P datcs ^ the chent 

£ * » computer 802 as compared to prior art antivirus distribution 

However, if it is determined that the user of client 45 , 

computer 302 has not received the latest versions of the virus • y , , 

signature files, new updates are transmitted at step 612. At In general, the push administration system 810 pushes 

step 614, central antivirus server 308 then updates the channelized information to the client desktop 802 according 

subscriber database to reflect that user BJONES001234 has t0 a subscription plan for the user of client computer 802. 

received the updated antivirus file. Importantly, it is to be 50 Antivirus update files are delivered on one of the subscriber 

appreciated that steps 606-614 are carried out for each of the channels. 

plurality of subscribers such as BJONES001234. Generally FIG. 9A shows a printout of the directory structure from 

speaking, there may be many such subscribers. Central a hard drive of client computer 802 according to the embodi- 

antivirus server must therefore be equipped with sufficient ment of FIG. 8, and in particular shows file listings of an 

hardware and database capability to handle the resulting 55 Antivirus Software directory 902 on client computer 802. 

traffic. Similar to the embodiment of FIG. 3, Antivirus Software 

FIG. 7 shows a diagram of a database 700 contained directory 902 comprises a DAT Signature Files directory 

within central antivirus server 308. Database 700 comprises 904 and a Program directory 906. However, as shown in the 

an antivirus database 702 and a subscriber database 704 as directory listing of FIG. 9B, client computer 802 also 

shown in FIG. 7. Shown in antivirus database 702 are virus 60 comprises a Push Update Agent directory 908. Push Update 

signature files and executable program files which represent Agent directory 908 contains a program directory 910 and a 

the latest available versions, along with the operating sys- data directory 912 that are dedicated for push update appli- 

tems to which they apply. Shown in subscriber database 704 cations and for interacting with push administration system 

is a list of all known or registered subscribers along with **10. 

their operating system types and the types and dates of the 65 FIG. 9B also shows a printout of the contents of the 

last updates sent for each subscriber. The data shown in FIG. program directory 910. Program directory 910 comprises a 

7 is for illustrative purposes; other useful information may program Push_Agent.exe 914 designed to interact with 
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push administration system 810 and supply updated infer- corporate network 1006 without the need for affirmative 

mation to a plurality of subscriber channels when the user of action by the system administrator 1022. This can advanta- 

chent computer 802 is connected to the Internet 804 and has geously lead to increased efficiency, lower costs, and 

activated a web browser. FIG. 9B shows channel directories reduced human errors, while at the same time increasing 

916 contained within the data directory 912. Push_ 5 c ij em computer integrity and network efficiency. 

Agent.exe program 914 operates in the background, i.e, in a . c ... ..... t 

mtnner which is transparent to the user of client computer . FIG ' U shoWS a P °£,° Q of a database 1100 which is ; kept 

802, and loads update information into channel directories b * c « m P K utcr "™ accoidm S t0 e J nbodl - 

according to the user's subscription preferences. ment " ™ e ditabaae 1100 comprises a list 1102 of client 

According to a preferred embodiment, one of the user's 10 computers for which the service desk 1020 is responsible, 

subscription preferences is an antivirus update channel asso- 3 ° alon 8 ™* "fonnaUon U04 relating to their hardware 

dated with the Antivirus_^pplication.exe program maim- ™ s * ons and .°P"f«>e system versions. Database 1100 

facturer. Support applications for configuring the user sub- ™ST^? SS? T P J T u ^ C ° ip ° " 

scription preferences may be included in the program network 1006, mformation U06 related to the latest anavi- 

directory 910, as shown in FIG. 9A. When the user of client 15 ms softwaie update w ^ l ^ oa for each ^bent computer, 

computer 802 has appropriately subscribed to an antivirus FIG - 12 snows ste ps taken b y service computer 1020 

update channel, update files for that channel are placed, for according to a preferred embodiment. Service computer 

example, in the channel subdirectory "ChanS" shown in 1020 * which usually has a dedicated or full-time connection 

FIG. 9B. The Push_Agent.exe program 914 and supporting 10 Internet 1004, receives antivirus information from central 

applications keep track of the subscriber channels associated , Q antivirus server 1002 according to a push technology 

with the channel directories 916 method by periodically transmitting a packet of information 

FIG. 10 shows a diagram of a computer network 1000 t0 ceDtral anlivirus xrvet 1002 In Particular, at step 1202, 

according to another preferred embodiment. Computer net- eitn ^ r 10 a sin & e packet or multiple packets as required, 

work 1000 comprises a central antivirus server 1002, a push service computer 1020 (a) advises the central antivirus 

administration system 1003, the Internet 1004, and a cor- 25 w** ^ that computer 1020 is attached to the 

porate computer network 1006. Although the scope of the Internet ; < b > advises the central ™ twmiS »™ 1002 of the 

preferred embodiment may encompass networks of any size, tv P cs of co , m ^ ters and °P eratin g for which service 

it is most advantageously applied to large corporate net- computer 1020 is responsible, and (c) advises the central 

works comprising many client computers. Accordingly, the antlvmi f *™ }°° 2 of tbe ( atest antlvirus updates 

corporate network shown in FIG. 10 comprises a large 30 received by each type of client computer, 

number of nodes, including: a first set of client computers At step 1204, service computer 1020 receives antivirus 

1008, which may correspond, for example, to the marketing updates, if any are required, from the central antivirus server 

department of a company; a local server 1010 coupled to the I 002 - At ste P I 206 . Itte service computer automatically 

client computers 1008; a second set of client computers distributes the antivirus updates, if any are received, to the 

1012 which may correspond, for example, to the finance 35 appropriate client computers. Advantageously, an automated 

department of a company; a local server 1014 coupled to the network installation scripting procedure, such as ISEAM- 

client computers 1012; a third set of client computers 1016 LESS™ from McAfee Associates, is used to distribute and 

which may correspond, for example, to the engineering install the antivirus updates. This allows for a minimum of 

department of a company; a local server 1018 coupled to the intervention, if any, by system administrator 1022, thus 

client computers 1016; a gateway computer 1019 for linking 40 allowing for increased efficiency and enhanced antivirus 

corporate network 1006 to the Internet 1004, etc. The protection of the corporate network 1006 with the most up 

computers 1008-1019 are coupled as shown in FIG. 10, but 10 date antivirus information available from central antivirus 

may generally be arranged in any of a variety of corporate server 1002. If no updates are sent, service computer 1020 

computer network structures. pauses at step 1208, and then steps 1202 to 1204 are 

As with most typical corporate networks, corporate net- 45 re P ea ted. 
work 1006 comprises a service computer 1020 coupled as It is often the case that only a portion of the client 
shown in FIG. 10. Generally speaking, a service computer is computers of corporate network 1006 require updates from 
a computer dedicated at least in part to assisting in servicing the central antivirus server. For example, overnight there 
the various hardware and software applications being used may have been a new release of a signature file update for 
in corporate computer network 1006. Such computers are 50 UNIX workstations onto central antivirus server 1002, but 
typically run by system administrators, help desk no new Windows 95 or MAC OS8 releases. In this case, the 
administrators, or designated power users, and are referred service computer 1020 would only receive the UNIX 
to by various names such as help desks, administration updates from central antivirus server 1002, and the auto- 
computers, or other names. Shown in FIG. 10 is a system mated installation procedure would distribute and install the 
administrator 1022 who operates the service computer 1020 55 updates only onto the UNIX client computers, 
and generally configures and maintains corporate network According to a preferred embodiment, central antivirus 
1006 and its hardware and software applications. server 1002 maintains a database of information which is 

According to a preferred embodiment, service computer complementary to the information contained on service 

1020 is loaded with a group update agent software package computer 1020. The corporate customer owning the corpo- 

capable of (a) automatically receiving antivirus software 60 rate network 1006 generally subscribes to the central anti- 

updates for a variety of client computers on the corporate virus server operator for a fee, which may be a per-update 

network 1006 according to a push technology method, and fee or a fixed time period fee. In an alternative embodiment, 

(b) automatically distributing the antivirus updates to the the central antivirus server 1002 maintains a complete 

respective client computers, in a manner which is transpar- database for the corporate network 1006, including all of the 

ent to both the system administrator 1022 and to the users of 65 information which was kept on the service computer 1020 as 

the client computers. Advantageously, the most recent ami- shown in FIG. 11. In this case, service computer 1020 would 

virus software is distributed to the client computers on only transmit limited-information "pings" to central antivi- 
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rus server 1002 according to a push technology method, and 
would send specific client computer information only when 
changes have occurred in corporate network 1006. 

According to another preferred embodiment, a dedicated 
push administration system 1003 is used for distributing 
antivirus updates to service computer 1020 according to a 
push technology method. The steps performed by push 
administration system 1003 of FIG. 10 are similar in nature 
to the steps performed by push administration server 810 of 
FIG. 8, with added information being maintained for dis- 
tributing multiple sets of antivirus information to service 
computer 1020 according to the database 1100. 

While preferred embodiments have been described, these 
descriptions are merely illustrative and are not intended to 
limit the scope of the present invention. Thus, although the 
embodiments described above were in the context of a 
central antivirus server using "push" technology, wherein 
affirmative queries are sent from resident antivirus update 
agents on local client computers before antivirus update 
packages are sent, those those skilled in the art will recog- 
nize that the disclosed methods and structures are readily 
adaptable for broader applications. As an example, within 
the scope of the preferred embodiments would be. a local 
antivirus agent which engages the central antivirus server 
even when the local user is not browsing the Internet. In this 
system, if the browser is not being used and the system is not 
otherwise busy (e.g. in the middle of the night), the local 
antivirus update agent causes the browser to connect to the 
Internet, whereby the push channel to the central antivirus 
server is then automatically invoked. 

As another example, while the preferred embodiments 
have been described in terms of a single central antivirus 
server, within the scope of the preferred embodiments are 
multiple such servers for serving different users or types of 
users, and these multiple antivirus servers may be arranged 
in a hierarchical fashion. Within the scope of such a pre- 
ferred embodiment is a system wherein each local area 
network antivirus server simply acts as a lowest level of an 
antivirus server hierarchy. Also with the scope of such a 
preferred embodiment is a system wherein a plurality of 
servers in the antivirus server hierarchy are coupled by 
means of private network or an alternative global network 
other than the Internet. Thus, while preferred embodiments 
have been described, these descriptions are merely 
illustrative, and the scope of the present invention is limited 
only by the appended claims. 

What is claimed is: 

1. A method for providing updated antivirus files to a 
plurality of client computers on a local area network, the 
client computers being supported by a common service 
computer on the local area network, the common service 
computer being operated by a system administrator, the 
method for providing allowing for minimal affirmative 
involvement by the system administrator in updating anti- 
virus files on the plurality of cb'ent computers, the method 
for providing comprising the steps of: 

installing the updated antivirus files on a central antivirus 
server, said central antivirus server comprising: 
an antivirus database, said antivirus database compris- 
ing: 

an identifier for the local area network; 
an identifier for each of the plurality of client com- 
puters on the local area network; 
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a first field for storing an identifier of the operating 
system used by each of the plurality of client 
computers on the local area network; and 
a second field for storing the identity of the last 
updated antivirus file received by each of said 
plurality of computers on the local area network; 
transmitting the updated antivirus files from said central 
antivirus server to a push administration computer 
connected to the Internet; 
transmitting the updated antivirus files from said push 
administration computer to said service computer using 
push technology; and 
executing an automatic installation script at said service 
computer for automatically installing updated antivirus 
information on said plurality of client computers across 
the local area network; wherein said transmitting steps 
include: 

transmitting a ping signal from said service computer to 
said push administration computer, said ping signal 
including information identifying said service com- 
puter; 

transmitting a first query from said push administration 
computer to said central antivirus server, said first 
query requesting an identity of updated antivirus files 
appropriate for the service computer; 
transmitting a first response from said central antivirus 
computer to said push administration computer iden- 
tifying said appropriate updated antivirus files; and 
transmitting said appropriate updated antivirus files 
from said push administration computer to said ser- 
vice computer. 
2. A method for providing updated antivirus files to a 
plurality of client computers on a local area network, the 
client computers being supported by a common service 
computer on the local area network, the common service 
computer being operated by a system administrator, the 
method for providing allowing for minimal affirmative 
involvement by the system administrator in updating anti- 
virus files on the plurality of client computers, the method 
for providing comprising the steps of: 

Installing the updated antivirus files on a central antivirus 
server; 

receiving, at a push administration computer connected to 
the internet, a ping signal from said service computer, 
said ping signal including information identifying said 
service computer; 

transmitting a first query from said push administration 
computer to said central antivirus server, said first 
query for requesting updated antivirus files appropriate 
for the service computer; 

transmitting a first response from said central antivirus 
computer to said push administration computer includ- 
ing said appropriate updated antivirus files; 

transmitting said appropriate updated antivirus files from 
said push administration computer to said service com- 
puter using push technology; and executing an auto- 
matic installation script at said service computer for 
automatically installing updated antivirus information 
on said plurality of client computers across the local 
area network. 
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